Back to skill
Skillv1.0.3
ClawScan security
Cascade Strategy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 12:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are coherent with a Membrane-based Cascade Strategy integration; nothing appears to request unrelated credentials or system access, though there are small documentation omissions to be aware of.
- Guidance
- This skill appears to be what it claims: a Membrane-based connector for Cascade Strategy. Before installing, ensure you have Node/npm available (the SKILL.md requires running npm install -g @membranehq/cli), and verify the @membranehq/cli package and the Membrane service are from a trusted source (check the npm package page and the GitHub repository referenced). Be aware that installing global npm packages carries normal supply-chain risk. Do not share API keys—follow the described Membrane login flow (browser/authorization code). If you need higher assurance, review the Membrane CLI repository and the maintainer identity, and confirm with your organization that granting a Membrane-managed connection to Cascade Strategy is acceptable.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md describes a Cascade Strategy integration implemented via the Membrane CLI, which fits the skill name and description. Minor inconsistency: the registry metadata lists 'no required binaries' even though the instructions require npm/node (to install @membranehq/cli) and network access (the compatibility header mentions network).
- Instruction Scope
- okRuntime instructions are limited to installing and using the Membrane CLI, running membrane login/connect/action commands, and using Membrane-managed actions. The instructions do not ask the agent to read unrelated files, exfiltrate data, or request unrelated credentials.
- Install Mechanism
- noteNo formal install spec in the registry (instruction-only), but SKILL.md instructs installing a global npm package (@membranehq/cli@latest). This is an expected approach for CLI-based integrations but carries normal supply-chain considerations for npm packages.
- Credentials
- okThe skill declares no required environment variables or secrets and explicitly instructs not to ask users for API keys (Membrane handles auth). The requested scope (no local secrets) is proportionate to the described functionality.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide changes. The skill relies on the Membrane CLI for auth and connections and does not modify other skills or global agent config in the instructions.